Hi Manjot, this could be due to clickjack protection (Clickjack Protection in Tableau Server ). Open your browser console (F12) and see if there are error messages indicating why the web object wouldn't load.
Thanks a lot for your help. Following is the error message that I am getting -
" Refused to display 'https://twitter.com/katyperry?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'". "
Can this be solved by resolving Clickjack Protection in Tableau? I am using a Desktop version of Tableau on Mac.
Thanks a lot for your help. I really appreciate your guidance and time.
This may be a Twitter security policy that prevents anyone from embedding Twitter content in their own page. Documentation for the frame-ancestors CSP directive says "The frame-ancestors directive specifies valid parents that may embed a page using the <frame> and <iframe> elements."
Try embedding a link to a different site (preferably some site that's not security sensitive) and see if that works.
This is definitely related to clickjacking. I'd try disabling clickjacking in Tableau Server per Jeff's link. Also, I found this from Content Security Policy Cheat Sheet - OWASP :
The established way of preventing clickjacking involves the use of the header
X-Frame-Options(see: Clickjacking_Defense_Cheat_Sheet). However, CSP 2.0 has a new directive
To prevent all framing of your content use:
Content-Security-Policy: frame-ancestors 'none'
To allow for your site only, use:
Content-Security-Policy: frame-ancestors 'self'
To allow for trusted domain (my-trusty-site.com), do the following:
Content-Security-Policy: frame-ancestors my-trusty-site.com
A word about support. Not supported in all browsers yet, Chrome 40+ and FF 35+ support, but will also default to X-Frame-Options if it exists. Spec says, CSP should take precedence. https://w3c.github.io/webappsec/specs/content-security-policy/#frame-ancestors-and-frame-options
Also, keep in mind the following (from the CSP Spec):
The frame-ancestors directive MUST be ignored when monitoring a policy, and when a contained in a policy defined via a meta element.
In otherwords, this will not work when CSP is in a <meta> tag, and will not work when using Content-Security-Policy-Report-Only.
When a report is generated, the blocked-uri will only have a value if it is the same origin as the page.
This error means that Twitter does not allow this url to be embedded in any domain other than itself. Disabling clickjack protection on Tableau Server will not affect this, as the restriction is coming from Twitter directly.
Twitter may have embed links that can be used for this purpose (Youtube and Tableau Server/Online have embed specific links which can be framed, for example).